Upload
doantu
View
274
Download
0
Embed Size (px)
Citation preview
Garrison SAVI® Isolation Platform
Deployment Brief for Government
Customers
The Garrison SAVI® Isolation Platform
Silicon Assured Video Isolation (SAVI) technology from Garrison provides cross-domain “browse” access to lower-
security networks using hardware-implemented security. With the Garrison SAVI® Isolation Platform, users can gain
access to risky applications, content and services without worrying about malware or data exfiltration.
The Garrison SAVI® Isolation Appliance (GIA) is a 3U rack-mounted hardware appliance supporting 280 concurrent
users, delivering high-performance access to applications, services and content including rich media such as high
definition video. The GIA’s hardware model means user performance is consistent no matter how many concurrent
sessions, and GIA units can be racked up in parallel to support unlimited numbers of enterprise users.
Users of the GIA can gain access to one of two interfaces:
• A web browser and a suite of document viewers, designed for consuming Internet-based content
• A suite of VDI clients suitable for accessing VDI platforms from VMware® and Citrix®.
Figure 1 - Garrison SAVI® Isolation concept
SECURE
SECURE
Secure Server
Higher-risk InternetSecure Server
Higher-risk Internet
Lower-risk Internet
Secure remote browsing
3rd Party Content Filtering & Scanning
Garrison Transfer Appliance
Garrison Isolation Appliance
Native browsing
Sacrificial machine
Trusted Cloud
High Risk Internet High Risk Internet
High Risk Internet
High Risk Internet
High Risk Internet
Secure Server
High Risk Internet
High Risk InternetSecure Server
Risky Content
Risky Content
Secure Remote Browsing
3rd Party Content Filtering & Scanning
Garrison Transfer Gateway
Garrison Isolation Appliance
NativeBrowsing
Sacrificial Machine
Higher-risk InternetSecure Server
Higher-risk Internet
Garrison Isolation Appliance
Lowersecuritynetwork
Highsecuritynetwork
Risky contentand services
Risky contentand services
High Risk Internet
Trusted Cloud
Garrison SAVI® Isolation Platform
High securityHigh performance
Low cost
ARMARM
Secure Enterprisenetwork
High Risk Internet Trusted Cloud
Garrison SAVI® Isolation Platform
High securityHigh performance
Low cost
ARMARM
Secure Enterprisenetwork
Audit
ARMARM
Secure Enterprisenetwork
Risky Content
ARMARM
Boot Management Bus
Secure reboot
Boot Management Bus
Secure reboot
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder Management
network
Risky contentand services
Audit
3rd Party Content Filtering & Scanning
Garrison Transfer Appliance
GarrisonIsolation
Appliance
GarrisonIsolation
Appliance
GarrisonIsolation
Appliance
GarrisonTransfer
Appliance
Garrison ProfileStore
Garrison SystemManager
3rd party TransferGateway
Audit & protectivemonitoring
Garrison Connection Broker
ActiveDirectory
Audit & protectivemonitoring
Garrison Isolation Appliance
Lowersecuritynetwork
Highsecuritynetwork
Risky contentand services
Managementnetwork
Audit & protectivemonitoring
2
The Garrison SAVI® security modelThe GIA contains a Remote (LOW) and a Client (HIGH) network interface. Our unique patented Garrison SAVI®
hardware architecture ensures that only raw bitmaps (at 1080p 30fps) and raw uncompressed digital audio are
transferred from the Remote to the Client interfaces. The worst-case scenario is that malicious sites and software on
the Remote side of the appliance can show bad pictures and sounds to the Client side – with absolutely no ability to
compromise any Client-connected systems.
Keyboard and mouse commands from Client-connected end user devices flow in the other direction over a separate
dedicated hardware interface which:
• Enforces unidirectionality – no scope for this interface to be used as an attack channel from Remote to
Client interfaces
• Limits bitrate to the low levels required for keyboard and mouse commands. Attempts to exfiltrate data will
have a massively mitigated impact
• Ensures an audit copy of every mouse and keyboard message is output on the physically separate
management network interface – allowing security to monitor for inappropriate strings or for abnormal
typing or mouse movement patterns indicative of non-human control.
Finally, Garrison Secure Reboot technology means each Garrison SAVI® node used to support a user is fully rebooted
and restored to a clean state after each session, ensuring that any Remote-side malware cannot persist within
Operating System images between sessions.
All Garrison SAVI® security features are hardware-enforced, meaning the appliance itself cannot be compromised by
remote attack and can form the basis of long-lasting protection and peace of mind.
Figure 2 – Garrison SAVI® security model
SECURE
SECURE
Secure Server
Higher-risk InternetSecure Server
Higher-risk Internet
Lower-risk Internet
Secure remote browsing
3rd Party Content Filtering & Scanning
Garrison Transfer Appliance
Garrison Isolation Appliance
Native browsing
Sacrificial machine
Trusted Cloud
High Risk Internet High Risk Internet
High Risk Internet
High Risk Internet
High Risk Internet
Secure Server
High Risk Internet
High Risk InternetSecure Server
Risky Content
Risky Content
Secure Remote Browsing
3rd Party Content Filtering & Scanning
Garrison Transfer Gateway
Garrison Isolation Appliance
NativeBrowsing
Sacrificial Machine
Higher-risk InternetSecure Server
Higher-risk Internet
Garrison Isolation Appliance
Lowersecuritynetwork
Highsecuritynetwork
Risky contentand services
Risky contentand services
High Risk Internet
Trusted Cloud
Garrison SAVI® Isolation Platform
High securityHigh performance
Low cost
ARMARM
Secure Enterprisenetwork
High Risk Internet Trusted Cloud
Garrison SAVI® Isolation Platform
High securityHigh performance
Low cost
ARMARM
Secure Enterprisenetwork
Audit
ARMARM
Secure Enterprisenetwork
Risky Content
ARMARM
Boot Management Bus
Secure reboot
Boot Management Bus
Secure reboot
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder Management
network
Risky contentand services
Audit
3rd Party Content Filtering & Scanning
Garrison Transfer Appliance
GarrisonIsolation
Appliance
GarrisonIsolation
Appliance
GarrisonIsolation
Appliance
GarrisonTransfer
Appliance
Garrison ProfileStore
Garrison SystemManager
3rd party TransferGateway
Audit & protectivemonitoring
Garrison Connection Broker
ActiveDirectory
Audit & protectivemonitoring
Garrison Isolation Appliance
Lowersecuritynetwork
Highsecuritynetwork
Risky contentand services
Managementnetwork
Audit & protectivemonitoring
3
Garrison SAVI® Isolation Platform Deployment Brief for Government Customers
DeploymentThe full enterprise platform consists of the following components:
• The Garrison Isolation Appliance (GIA) – a 3U rackable unit with 3 network interfaces and up to
280 SAVI nodes
• The Garrison App – a lightweight app that runs on end-user Client devices to connect to the GIA
• The Garrison Profile Store – optional network storage used to store cookies, bookmarks and other
personalisation data for Internet sessions
• The Garrison Transfer Appliance (GTA) – a separate hardware security appliance providing support for
secure copy-and-paste and printing
• The Garrison System Manager – a software application providing configuration and management
functionality across multiple GIA and GTA devices
• The Garrison Connection Broker – a software service allowing multiple GIAs and GTAs to be combined for
unlimited scalability.
Initial small-scale deployments require only a single Garrison Isolation Appliance and lightweight client software
installations.
Figure 3 – Full Garrison SAVI® Isolation Solution Architecture
SECURE
SECURE
Secure Server
Higher-risk InternetSecure Server
Higher-risk Internet
Lower-risk Internet
Secure remote browsing
3rd Party Content Filtering & Scanning
Garrison Transfer Appliance
Garrison Isolation Appliance
Native browsing
Sacrificial machine
Trusted Cloud
High Risk Internet High Risk Internet
High Risk Internet
High Risk Internet
High Risk Internet
Secure Server
High Risk Internet
High Risk InternetSecure Server
Risky Content
Risky Content
Secure Remote Browsing
3rd Party Content Filtering & Scanning
Garrison Transfer Gateway
Garrison Isolation Appliance
NativeBrowsing
Sacrificial Machine
Higher-risk InternetSecure Server
Higher-risk Internet
Garrison Isolation Appliance
Lowersecuritynetwork
Highsecuritynetwork
Risky contentand services
Risky contentand services
High Risk Internet
Trusted Cloud
Garrison SAVI® Isolation Platform
High securityHigh performance
Low cost
ARMARM
Secure Enterprisenetwork
High Risk Internet Trusted Cloud
Garrison SAVI® Isolation Platform
High securityHigh performance
Low cost
ARMARM
Secure Enterprisenetwork
Audit
ARMARM
Secure Enterprisenetwork
Risky Content
ARMARM
Boot Management Bus
Secure reboot
Boot Management Bus
Secure reboot
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder
Hardware videodecoder
Hardware graphicsacceleration
Hardware videoencoder Management
network
Risky contentand services
Audit
3rd Party Content Filtering & Scanning
Garrison Transfer Appliance
GarrisonIsolation
Appliance
GarrisonIsolation
Appliance
GarrisonIsolation
Appliance
GarrisonTransfer
Appliance
Garrison ProfileStore
Garrison SystemManager
3rd party TransferGateway
Audit & protectivemonitoring
Garrison Connection Broker
ActiveDirectory
Audit & protectivemonitoring
Garrison Isolation Appliance
Lowersecuritynetwork
Highsecuritynetwork
Risky contentand services
Managementnetwork
Audit & protectivemonitoring
Email [email protected]
UK telephone +44 (0) 203 890 4504
US telephone +1 (646) 690-8824
www.garrison.com
© Garrison Technology Ltd 2018
CD00000099v2.4 - UK - October 2018
About usGarrison Technology is a UK technology startup developing Garrison SAVI® technology both for traditional government
cross-domain requirements, and for commercial enterprises who want a Secure Remote Browsing platform that is
secure, affordable and provides a high quality user experience.